Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud: Policy Deny for Trusted Process Shortly After Restart

Carbon Black Cloud: Policy Deny for Trusted Process Shortly After Restart

Environment

  • Carbon Black Cloud Sensor: 3.8
  • Microsoft Windows 10

Symptoms

  • Alert for process says it was blocked due to policy deny
  • Cloud (Initial) reptuation shows --
  • Cloud (Current) reputation shows TRUSTED_WHITE_LIST
  • Block / alert occurred around sensor startup
  • Policy settings include "Delay execute on cloud scan"
  • Policy rule to block Unknown application or process > Invokes an untrusted process.

Cause

The sensor tries to get the processs' reputation via cloud, but is unable to due to network issues. When this happens, the reputation will not be available and the process will be blocked

Resolution

Once the device has network connections, the process reputation should update so future runs won't be blocked

Additional Notes

Resolving network issues on the device is outside the scope of Carbon Black Support and should be investigated with network / system administrators

Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎07-04-2022
Views:
394
Contributors